A general-purpose agent that can do anything in your name is powerful, and that’s exactly the problem. Broad, standing access is a real security exposure: security researchers keep finding these installations left open to the internet, and an agent with the keys can be tricked into leaking data through a prompt-injection attack or into taking a destructive action you never asked for.
It also doesn’t scale. A single self-hosted agent can’t absorb a spike: 50 invoices all landing at 9am need capacity it simply doesn’t have. And it’s expensive for repetitive work: it pays the model for every click and keypress, where an optimised script with model calls added only where they earn their keep does the same job with far fewer of them. It’s fine for the odd ad-hoc task; it’s the wrong tool for repetitive work at scale.
On top of that, like ChatGPT it usually has no integrations to the internal tools you actually care about, and, being open source, there’s no one to call when it breaks at the worst possible moment. We build agents with least-privilege access, guard rails and ongoing support, so the thing running your back office is one you can trust and rely on.